Goodbye SHA-1 Certificates. Hello SHA-2!

A large number of SSL certificates deployed by existing websites are signed using SHA-1 — a secure hash algorithm developed by the US National Security Agency (NSA).

Since at least 2005cryptology experts have been aware that SHA-1 might be susceptible to ‘collision attacks’, which might enable attackers to obtain fraudulent certificates. It could also potentially allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. As such, SHA-1 might not be secure enough to protect public key infrastructure (PKI).

On 16 October 2014, the CA/Browser Forum voted to sunset the use of SHA-1 certificates. Microsoft announced that Windows will stop accepting SHA-1 certificates in SSL by 2017. Google announced they would be adding warning indicators (see chart below) for sites using SHA-1 certificates expiring after December 31, 2017 beginning with Chrome v39. Subsequent updates of Chrome would also warn visitors on sites using SHA-1 certificates expiring in 2016. Mozilla also plans to stop accepting SHA-1-based SSL certificates by 2017.

As a Verizon Digital Media Services customer we want you to be aware that if you are using a legacy SHA-1 SSL certificate, you and your end-users might be affected by the perceived weaknesses in SHA-1. If you have a hosted or shared SSL certificate with Verizon Digital Media Services, we will automatically upgrade your SSL certificate to SHA-2.

Your end-user clients will need to meet the minimum browser or mobile device compatibility to use these SHA-2 certificates. If you want to support older browser clients or older mobile device clients, and hence don’t want to upgrade, you can do so by switching to a dedicated SSL certificate.

If you already have a dedicated SSL certificate with us, you will need to contact us if you want to upgrade (at no additional charge) to a new, more secure SHA-2 SSL certificate (compatible with most browsers), or you can choose to remain with your SHA-1 certificate in order to stay compatible with all browsers.